[Libvir] Reliably detecting if Intel VT is disabled in the BIOS

Richard W.M. Jones rjones at redhat.com
Wed Mar 14 15:10:32 UTC 2007 

VMXON is the instruction which turns on Intel VT extensions[1].  This 
instruction can be enabled and disabled by setting a bit in a CPU 
register.  Moreover, this CPU register itself can be locked so that no 
changes can be made until the CPU is power-cycled.

In detail, the register is the IA32_FEATURE_CONTROL (0x3A) MSR.  The 
relevant bits are:

   bit 0   Lock bit (0 = unlocked, 1 = permanently locked)
   bit 1   Enable VMXON in Intel Safer Mode Extensions (SMX)
   bit 2   Enable VMXON in normal operation

So to find out if VT is possible with the CPU, use CPUID (in practice, 
check if "vmx" is in /proc/cpuinfo flags).

To find out if VT can be turned on in the host, check bit 2 in the above 
register.  There is a handy tool called msr-tools[2] which you can use:

   # ./rdmsr 0x3a
   ff03

(bit 2 is clear, so VT is _not_ enabled on this host).

It seems that the BIOS locks the register (by writing 1 to bit 0).  To 
find out if the BIOS has locked the register, use rdmsr again and look 
at the lowest bit.  In the example above you can see that the BIOS 
disabled VT and locked the register.  Once the register is locked, the 
only way around it is to reboot.

If the register is unlocked you can enable VT by writing a 1 to bit 2.

If you don't want to use the msr-tools, then direct access to the 
register can be had through /dev/cpu/<id>/msr.  For example this is an 
strace of rdmsr 0x3a:

open("/dev/cpu/0/msr", O_RDONLY)        = 3
pread(3, "\3\377\0\0\0\0\0\0", 8, 58)   = 8

However you need to be root to open /dev/cpu/0/msr.

On machines which don't support the IA32_FEATURE_CONTROL MSR you will 
get an EIO error:

pread(3, 0x7ffff81ec810, 8, 58)         = -1 EIO (Input/output error)

Rich.

Notes:

[1] I don't think this is possible with AMD's Pacifica extensions.  I'm 
not sure if it's possible to disable these in the BIOS & lock them.

[2] http://www.kernel.org/pub/linux/utils/cpu/msr-tools/

Sources:

* linux/drivers/kvm/vmx.c: function vmx_disabled_by_bios

* "Intel® Trusted Execution Technology Preliminary Architecture 
Specification" section 2.1.2
   (http://download.intel.com/technology/security/downloads/31516803.pdf)


-- 
Emerging Technologies, Red Hat  http://et.redhat.com/~rjones/
64 Baker Street, London, W1U 7DF     Mobile: +44 7866 314 421
  "[Negative numbers] darken the very whole doctrines of the equations
  and make dark of the things which are in their nature excessively
  obvious and simple" (Francis Maseres FRS, mathematician, 1759)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20070314/f90589fc/attachment-0001.bin>

More information about the libvir-list mailing list